The combination of rapidly advancing technology and an ever-changing demographic, political and economic landscape, creates new challenges for cyber security professionals. Attackers leverage highly tailored malware, advanced persistent threats, massive denial-of-service attacks and a plethora other tools to compromise organizations of all types on a daily basis. To overcome these challenges, cyber defenders must create innovative new models for protecting their organizations from increasingly advanced threats.
Cyber attackers generally follow an established approach to compromise a target, known as the “attack chain.” This process includes surveillance, preparation of the exploit, delivery, deployment and control. Every step has a unique signature that can be identified within the technology environment, if you know where to find it. With robust visibility into the extended network and thorough intelligence, an attack can often be thwarted before causing major damage.
Intelligence comes from a variety of sources, including ‘native’ intelligence from within the organization, commercially available information from other public and private entities, and ongoing analysis of user behavior. This combined intelligence enables the rapid and successful detection of threats. Using the network to gather this sort of intelligence, cyber defenders gain a better understanding of what their adversaries are doing, and how to stop it.
The only way to halt the progress of the attack chain and protect valuable resources is to employ a security approach that is advanced beyond the attackers’ abilities, and addresses the extended network at each stage. Since an attack may be segmented into stages, it is then logical to respond to an attack in stages as well – before, during and after. This is a cycle that is ongoing for most security professionals.
Let’s take an in-depth look at each stage of the attack chain:
Before an event, security teams are constantly on guard for areas where they may be compromised. Traditionally, security had been all about an organization’s defensive posture. Today, teams are exploring ways to more intelligently and effectively stop intruders by giving them complete visibility into their environments – including, but not limited to users, physical and virtual hosts, operating systems, applications, services, protocols, content and network behavior. This knowledge allows defenders to act before an attack is underway.
During an attack, security teams need to understand what is happening, and how to stop it immediately to mitigate potential impact. Security teams have to discover where, what and how users are connected to applications and resources in order to continuously address threats, at any point in time. Tools including content inspection, behavior anomaly detection, context awareness of users, devices, location information and applications are critical to understanding the attack, as it is occurring.
After an incident, teams have to understand exactly what occurred and how to repair the damage. Advanced assessment and forensic tools enable security teams to gain valuable knowledge from attacks. What could have been done to prevent the breach? Where did the attacker come from? How did they find a hole in the network? This retrospective security approach allows an organization to continuously gather and analyze data to build stronger security intelligence. Compromises that may have grown undetected for weeks or months are identified, contained and remediated quickly.
Understanding these elements of the attack chain, it then follows that the most important piece of any defensive strategy is intelligence. Just like in counter terrorism operations, intelligence is critical for preventing attacks. Cyber security teams are constantly trying to learn more about who their enemies are, as well as why, and how, they are attacking. This is where the extended network provides unexpected value with a depth of intelligence that cannot be attained anywhere else in the IT environment.
Security in cyber space is often asymmetric. Small adversaries with limited means have the ability to inflict disproportionate damage on their victims. In these unbalanced situations, intelligence is one of the most valuable tools for addressing threats proactively. However, intelligence alone is of minimal benefit; a defensive approach must optimize the organizational and operational use of its intelligence.
For instance, with network analysis techniques that offer the ability to collect IP network traffic as it enters or leaves an interface, security teams can correlate identity and context, and then add threat intelligence and analytics capabilities. This enables security teams to combine what they learn from multiple sources of information, including what they know from the internet, their network, as well as a growing amount of collaborative intelligence, gleaned from exchange with public and private entities to help identify and stop threats.
A truly effective cyber security approach demands a framework that leverages an understanding of the central interests, opportunities, and challenges that an organization faces and aligns its governance, operations and enterprise capabilities to match those requirements. In other words, it allows defenders to think like attackers and better protect their environments.
The most effective security approach will leverage the security team’s threat intelligence, combined with commercial information gathered from public and private entities. Correlating this robust intelligence with analysis of user behavior allows organizations to build confidence in their security posture and enhance its ability to detect, protect against, and remediate security incidents as quickly and effectively as possible.